Closed
Bug 568276
Opened 15 years ago
Closed 14 years ago
Assertion failure: entry->localKind == JSLOCAL_ARG && localKind == JSLOCAL_ARG, at /home/cjones/mozilla/mozilla-central/js/src/jsfun.cpp:2738
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta8+ |
blocking1.9.2 | --- | - |
status1.9.1 | --- | unaffected |
People
(Reporter: cjones, Assigned: cdleary)
References
()
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey (by bug 558451))
Attachments
(1 file)
268 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
This was while loading the "new interface" in a background tab. Will try to reproduce in a moment. (gdb) bt #0 0x00007fb66726c471 in nanosleep () from /lib/libc.so.6 #1 0x00007fb66726c2c0 in __sleep (seconds=<value optimized out>) at ../sysdeps/unix/sysv/linux/sleep.c:138 #2 0x00007fb66bbd60c3 in ah_crap_handler (signum=6) at /home/cjones/mozilla/mozilla-central/toolkit/xre/nsSigHandlers.cpp:132 #3 0x00007fb66bbdae0d in nsProfileLock::FatalSignalHandler (signo=6, info=0x7fffbe9b9df0, context=0x7fffbe9b9cc0) at nsProfileLock.cpp:221 #4 <signal handler called> #5 0x00007fb66e87e05b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #6 0x00007fb66b26e558 in JS_Assert (s=0x7fb66b335730 "entry->localKind == JSLOCAL_ARG && localKind == JSLOCAL_ARG", file=0x7fb66b334ba0 "/home/cjones/mozilla/mozilla-central/js/src/jsfun.cpp", ln=2738) at /home/cjones/mozilla/mozilla-central/js/src/jsutil.cpp:80 #7 0x00007fb66b186353 in HashLocalName (cx=0x3240130, map=0x7fb644cf5d10, name=0x7fb66b5bdd44, localKind=JSLOCAL_VAR, index=13) at /home/cjones/mozilla/mozilla-central/js/src/jsfun.cpp:2738 #8 0x00007fb66b186881 in js_AddLocal (cx=0x3240130, fun=0x7fb63b5a68c0, atom=0x7fb66b5bdd44, kind=JSLOCAL_VAR) at /home/cjones/mozilla/mozilla-central/js/src/jsfun.cpp:2860 #9 0x00007fb66b20bb49 in js::Parser::functionDef (this=0x7fffbe9bb2d0, lambda=0, namePermitted=true) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:2677 #10 0x00007fb66b20c672 in js::Parser::functionStmt (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:2965 #11 0x00007fb66b210577 in js::Parser::statement (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:4513 #12 0x00007fb66b20c8af in js::Parser::statements (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:3040 #13 0x00007fb66b2085cc in js::Parser::functionBody (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:1247 #14 0x00007fb66b20c176 in js::Parser::functionDef (this=0x7fffbe9bb2d0, lambda=8, namePermitted=true) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:2829 #15 0x00007fb66b20c696 in js::Parser::functionExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:2971 #16 0x00007fb66b2196f7 in js::Parser::primaryExpr (this=0x7fffbe9bb2d0, tt=js::TOK_FUNCTION, afterDot=0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:7740 #17 0x00007fb66b21750a in js::Parser::memberExpr (this=0x7fffbe9bb2d0, allowCallSyntax=1) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6879 #18 0x00007fb66b2158a1 in js::Parser::unaryExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6252 #19 0x00007fb66b21513f in js::Parser::mulExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6093 #20 0x00007fb66b215059 in js::Parser::addExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6079 #21 0x00007fb66b214fad in js::Parser::shiftExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6068 #22 0x00007fb66b214e89 in js::Parser::relExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6046 #23 0x00007fb66b214dad in js::Parser::eqExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6027 #24 0x00007fb66b214d13 in js::Parser::bitAndExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6018 #25 0x00007fb66b214c79 in js::Parser::bitXorExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6008 #26 0x00007fb66b214bdf in js::Parser::bitOrExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5999 #27 0x00007fb66b214b45 in js::Parser::andExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5990 #28 0x00007fb66b214aab in js::Parser::orExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5981 #29 0x00007fb66b214906 in js::Parser::condExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5946 #30 0x00007fb66b2145e4 in js::Parser::assignExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5868 #31 0x00007fb66b214844 in js::Parser::assignExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5923 #32 0x00007fb66b2143f9 in js::Parser::expr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5832 #33 0x00007fb66b2135cb in js::Parser::statement (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5554 #34 0x00007fb66b207617 in js::Compiler::compileScript (cx=0x3240130, scopeChain=0x7fb641d62a80, callerFrame=0x0, principals=0x7fb644288a58, tcflags=24576, chars=0x7fb64fdd9018, length=815558, file=0x0, filename=0x7fb6440af998 "http://mail.yimg.com/d/combo?/gx/t8a/js/yui_loader/ba87c64b1f20e3e7898b0dc28b2173a6_1.js&/gx/t8a/js/combo/init/us/d1290a63976b96e8e785156d6a6037d2_1.js&/gx/t7a/js/combo/init/us/ycw_gx_1.js&/pim/r/dcli"..., lineno=1, source=0x0, staticLevel=0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:840 #35 0x00007fb66b12e56d in JS_EvaluateUCScriptForPrincipals (cx=0x3240130, obj=0x7fb641d62a80, principals=0x7fb644288a58, chars=0x7fb64fdd9018, length=815558, filename=0x7fb6440af998 "http://mail.yimg.com/d/combo?/gx/t8a/js/yui_loader/ba87c64b1f20e3e7898b0dc28b2173a6_1.js&/gx/t8a/js/combo/init/us/d1290a63976b96e8e785156d6a6037d2_1.js&/gx/t7a/js/combo/init/us/ycw_gx_1.js&/pim/r/dcli"..., lineno=1, rval=0x0) at /home/cjones/mozilla/mozilla-central/js/src/jsapi.cpp:4905 #36 0x00007fb66c4c264f in nsJSContext::EvaluateString (this=0x32400c0, aScript=..., aScopeObject=0x7fb641d62a80, aPrincipal=0x7fb644288a50, aURL=0x7fb6440af998 "http://mail.yimg.com/d/combo?/gx/t8a/js/yui_loader/ba87c64b1f20e3e7898b0dc28b2173a6_1.js&/gx/t8a/js/combo/init/us/d1290a63976b96e8e785156d6a6037d2_1.js&/gx/t7a/js/combo/init/us/ycw_gx_1.js&/pim/r/dcli"..., aLineNo=1, aVersion=0, aRetValue=0x0, aIsUndefined=0x7fffbe9bb790) at /home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:1779 #37 0x00007fb66c25618c in nsScriptLoader::EvaluateScript (this=0x7fb6443c3780, aRequest=0x7fb64409b1d0, aScript=...) at /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp:752 #38 0x00007fb66c255b38 in nsScriptLoader::ProcessRequest (this=0x7fb6443c3780, aRequest=0x7fb64409b1d0) at /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp:665 #39 0x00007fb66c2565e6 in nsScriptLoader::ProcessPendingRequests (this=0x7fb6443c3780) at /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp:825 #40 0x00007fb66c257069 in nsScriptLoader::OnStreamComplete (this=0x7fb6443c3780, aLoader=0x7fb64435dde0, aContext=0x7fb64409b1d0, aStatus=0, aStringLen=815637, aString=0x7fb6447eb890 "if(typeof YAHOO==\"undefined\"||!YAHOO){var YAHOO={}}YAHOO.namespace=function(){var a=arguments,b=null,d,e,c;for(d=0;d<a.length;d=d+1){c=(\"\"+a[d]).split(\".\");b=YAHOO;for(e=(c[0]==\"YAHOO\")?1:0;e<c.length"...) at /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp:1013 #41 0x00007fb66bc51fa3 in nsStreamLoader::OnStopRequest (this=0x7fb64435dde0, request=0x7fb6442d99d0, ctxt=0x7fb64409b1d0, aStatus=0) at /home/cjones/mozilla/mozilla-central/netwerk/base/src/nsStreamLoader.cpp:125 #42 0x00007fb66bc7708e in nsHTTPCompressConv::OnStopRequest (this=0x7fb6440d1700, request=0x7fb6442d99d0, aContext=0x7fb64409b1d0, aStatus=0) at /home/cjones/mozilla/mozilla-central/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127 #43 0x00007fb66bc50d72 in nsStreamListenerTee::OnStopRequest (this=0x7fb6440dfed0, request=0x7fb6442d99d0, context=0x7fb64409b1d0, status=0) at /home/cjones/mozilla/mozilla-central/netwerk/base/src/nsStreamListenerTee.cpp:71 #44 0x00007fb66bd14968 in nsHttpChannel::OnStopRequest (this=0x7fb6442d9980, request=0x7fb6440fca70, ctxt=0x0, status=0) at /home/cjones/mozilla/mozilla-central/netwerk/protocol/http/src/nsHttpChannel.cpp:5321 #45 0x00007fb66bc183c2 in nsInputStreamPump::OnStateStop (this=0x7fb6440fca70) at /home/cjones/mozilla/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:578 #46 0x00007fb66bc17c58 in nsInputStreamPump::OnInputStreamReady (this=0x7fb6440fca70, stream=0x7fb644660cd8) at /home/cjones/mozilla/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:403 #47 0x00007fb66d0be679 in nsInputStreamReadyEvent::Run (this=0x7fb6444d29e0) at /home/cjones/mozilla/mozilla-central/xpcom/io/nsStreamUtils.cpp:112 #48 0x00007fb66d0ec839 in nsThread::ProcessNextEvent (this=0x10e3fd0, mayWait=1, result=0x7fffbe9bbc5c) at /home/cjones/mozilla/mozilla-central/xpcom/threads/nsThread.cpp:547 There's a lot of stdout/stderr right before the crash that might be relevant JavaScript error: https://login.yahoo.com/config/login?, line 985: toCheck is undefined ++DOMWINDOW == 29 (0x3558b90) [serial = 43] [outer = 0x323fd60] ++DOMWINDOW == 30 (0x3317910) [serial = 44] [outer = 0x323fd60] WARNING: 1 sort operation has occurred for the SQL statement '0x2d07ca8'. See https://developer.mozilla.org/En/Storage/Warnings details.: file /home/cjones/mozilla/mozilla-central/storage/src/mozStoragePrivateHelpers.cpp, line 131 WARNING: 1 sort operation has occurred for the SQL statement '0x2d07ca8'. See https://developer.mozilla.org/En/Storage/Warnings details.: file /home/cjones/mozilla/mozilla-central/storage/src/mozStoragePrivateHelpers.cpp, line 131 WARNING: 1 sort operation has occurred for the SQL statement '0x2d07ca8'. See https://developer.mozilla.org/En/Storage/Warnings details.: file /home/cjones/mozilla/mozilla-central/storage/src/mozStoragePrivateHelpers.cpp, line 131 WARNING: 1 sort operation has occurred for the SQL statement '0x2d07ca8'. See https://developer.mozilla.org/En/Storage/Warnings details.: file /home/cjones/mozilla/mozilla-central/storage/src/mozStoragePrivateHelpers.cpp, line 131 ++DOMWINDOW == 31 (0x7fb6440ee790) [serial = 45] [outer = 0x323fd60] WARNING: No script language registered for this mime-type: file /home/cjones/mozilla/mozilla-central/dom/base/nsDOMScriptObjectFactory.cpp, line 159 WARNING: Failed to find a scripting language: file /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp, line 427 WARNING: No script language registered for this mime-type: file /home/cjones/mozilla/mozilla-central/dom/base/nsDOMScriptObjectFactory.cpp, line 159 WARNING: Failed to find a scripting language: file /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp, line 427 WARNING: No script language registered for this mime-type: file /home/cjones/mozilla/mozilla-central/dom/base/nsDOMScriptObjectFactory.cpp, line 159 WARNING: Failed to find a scripting language: file /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp, line 427 WARNING: No script language registered for this mime-type: file /home/cjones/mozilla/mozilla-central/dom/base/nsDOMScriptObjectFactory.cpp, line 159 WARNING: Failed to find a scripting language: file /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp, line 427 WARNING: No script language registered for this mime-type: file /home/cjones/mozilla/mozilla-central/dom/base/nsDOMScriptObjectFactory.cpp, line 159 WARNING: Failed to find a scripting language: file /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp, line 427 This is with a debug build of http://hg.mozilla.org/rev/13b292f9ab79
Comment 3•14 years ago
|
||
Need an owner -- assertbotches are must-fix-before-shipping (if not sooner). /be
Assignee | ||
Comment 5•14 years ago
|
||
Reproducible on tracemonkey tip. I constructed this example: function outer(a) { var b, c, d, e, f, g, h, i; function a() {} } Scenario: A top level function is inside a function body where a local is already defined as an argument (|a| in this example), when you have more than MAX_ARRAY_LOCALS, which hits a HashLocalName on an atom that has been previously defined. The assertion posits that the only duplicated identifiers in the locals map are arguments (which I didn't realize JS permitted!), and the function has to be added as a local for BindNameToSlot to work on it, so the addition is in violation. Talk about state space! Will have a patch once I analyze the rest of the invocation sites -- we don't want to leave YUI broken in debug mode, if that's what this part of the big minified blob is. (Note to future self: minified code is annoying -- make some better jschar* dumping functions...)
Comment 6•14 years ago
|
||
js> function outer(a) { var b, c, d, e, f, g, h, i; function a() {} } Assertion failure: entry->localKind == JSLOCAL_ARG && localKind == JSLOCAL_ARG, at ../jsfun.cpp:2716 Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x0014fb5d in JS_Assert (s=0x1e97b0 "entry->localKind == JSLOCAL_ARG && localKind == JSLOCAL_ARG", file=0x1e93eb "../jsfun.cpp", ln=2716) at ../jsutil.cpp:77 77 *((int *) NULL) = 0; /* To continue from here in GDB: "return" then "continue". */ (gdb) (gdb) bt #0 0x0014fb5d in JS_Assert (s=0x1e97b0 "entry->localKind == JSLOCAL_ARG && localKind == JSLOCAL_ARG", file=0x1e93eb "../jsfun.cpp", ln=2716) at ../jsutil.cpp:77 #1 0x0006c328 in HashLocalName (cx=0x809200, map=0x40cb80, name=0x20bd54, localKind=JSLOCAL_VAR, index=8) at ../jsfun.cpp:2716 #2 0x0006c8f6 in js_AddLocal (cx=0x809200, fun=0x10049d8, atom=0x20bd54, kind=JSLOCAL_VAR) at ../jsfun.cpp:2838 #3 0x000f976f in js::Parser::functionDef (this=0xbffff43c, lambda=0, namePermitted=true) at ../jsparse.cpp:2672 #4 0x00100d77 in js::Parser::functionStmt (this=0xbffff43c) at ../jsparse.cpp:2960 #5 0x000f5aac in js::Parser::statement (this=0xbffff43c) at ../jsparse.cpp:4498 #6 0x000f8e50 in js::Parser::statements (this=0xbffff43c) at ../jsparse.cpp:3035 #7 0x000f903a in js::Parser::functionBody (this=0xbffff43c) at ../jsparse.cpp:1242 #8 0x000f9d6c in js::Parser::functionDef (this=0xbffff43c, lambda=0, namePermitted=true) at ../jsparse.cpp:2824 #9 0x00100d77 in js::Parser::functionStmt (this=0xbffff43c) at ../jsparse.cpp:2960 #10 0x000f5aac in js::Parser::statement (this=0xbffff43c) at ../jsparse.cpp:4498 #11 0x000f8e50 in js::Parser::statements (this=0xbffff43c) at ../jsparse.cpp:3035 #12 0x00100dce in js::Parser::parse (this=0xbffff43c, chain=0x1002000) at ../jsparse.cpp:677 #13 0x00016d25 in JS_BufferIsCompilableUnit (cx=0x809200, obj=0x1002000, bytes=0x40c750 "function outer(a) { var b, c, d, e, f, g, h, i; function a() {} }", length=65) at ../jsapi.cpp:4479 #14 0x000098c2 in Process (cx=0x809200, obj=0x1002000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:452 #15 0x0000a369 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff7ec, argc=1) at ../../shell/js.cpp:843 #16 0x0000a482 in shell (cx=0x809200, argc=1, argv=0xbffff7ec, envp=0xbffff7f4) at ../../shell/js.cpp:5025 #17 0x0000a5a6 in main (argc=1, argv=0xbffff7ec, envp=0xbffff7f4) at ../../shell/js.cpp:5112
blocking2.0: --- → ?
Keywords: regression,
testcase
OS: Linux → All
Hardware: x86_64 → All
Version: unspecified → Trunk
Comment 7•14 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 35287:6708e8f357f2 user: Jim Blandy date: Thu Nov 26 10:23:52 2009 -0800 summary: Bug 499524: Always check for duplicates when destructuring params are present. r=igor
Blocks: 499524
Comment 9•14 years ago
|
||
Duplicate formals are an ES1 botch, something not in Netscape, something that the Microsoft rep insisted on. I don't recall why (maybe just because JScript allowed them). They are a blight on the spec and on all implementations. /be
Updated•14 years ago
|
blocking2.0: ? → betaN+
Assignee | ||
Comment 10•14 years ago
|
||
This bug became obsolete when the JSScope removal happened, since variable data became stored in the shape tree: http://hg.mozilla.org/tracemonkey/rev/e5958cd4a135 Nice complexity reduction!
Attachment #484249 -
Flags: review?(brendan)
Updated•14 years ago
|
blocking2.0: betaN+ → beta8+
Updated•14 years ago
|
Attachment #484249 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 11•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/053d66804a49 http://hg.mozilla.org/tracemonkey/rev/713cde946260
Whiteboard: fixed-in-tracemonkey
Comment 12•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/053d66804a49
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 13•14 years ago
|
||
I can reproduce this assertion on 1.9.2 linux/mac at least on http://www.arabianbusiness.com/ste-unique-opportunity-for-middle-east-354164.html file new bug?
Comment 14•14 years ago
|
||
(In reply to comment #13) > I can reproduce this assertion on 1.9.2 linux/mac at least on > http://www.arabianbusiness.com/ste-unique-opportunity-for-middle-east-354164.html > > file new bug? The fuzzers find this too. Bug 558451 fixed this, but it seems like a large patch that shouldn't be backported unless there are compelling reasons.
blocking1.9.2: --- → ?
Comment 15•14 years ago
|
||
Unless there's more evidence of a security problem we don't want to take the fix for bug 558451 on the 1.9.2 branch.
blocking1.9.2: ? → -
status1.9.1:
--- → unaffected
Depends on: 558451
Whiteboard: fixed-in-tracemonkey → fixed-in-tracemonkey (by bug 558451)
Comment 16•14 years ago
|
||
just for reference on the 1.9.2 branch this is also reproducible on http://www.tudou.com/playlist/p/a65404.html?iid=71677615
Comment 17•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug568276.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•